The ACLU of California has obtained records showing that Twitter, Facebook, and Instagram provided user data access to Geofeedia, a developer of a social media monitoring product that we have seen marketed to law enforcement as a tool to monitor activists and protesters.

We are pleased that after we reported our findings to the companies, Instagram cut off Geofeedia’s access to public user posts, and Facebook has cut its access to a topic-based feed of public user posts. Twitter has also taken some recent steps to rein in Geofeedia though it has not ended the data relationship.

Further steps are required if these companies are to live up to their principles and policies by protecting users of all backgrounds engaging in political and social discourse. So today the ACLU of California, the Center for Media Justice, and Color of Change are calling on Twitter, Facebook and Instagram to commit to concrete changes to better protect users going forward. Read our letters here and here.

We first learned about these agreements with Geofeedia from responses to public records requests to 63 California law enforcement agencies. These records revealed the fast expansion of social media surveillance with little-to-no debate or oversight.

But as we continued to comb through thousands of pages of documents, we saw emails from Geofeedia representatives telling law enforcement about its special access to Twitter, Facebook, and Instagram user data.

Instagram had provided Geofeedia access to the Instagram API, a stream of public Instagram user posts. This data feed included any location data associated with the posts by users. Instagram terminated this access on September 19, 2016.

Facebook had provided Geofeedia with access to a data feed called the Topic Feed API, which is supposed to be a tool for media companies and brand purposes, and which allowed Geofeedia to obtain a ranked feed of public posts from Facebook that mention a specific topic, including hashtags, events, or specific places. Facebook terminated this access on September 19, 2016.

Twitter did not provide access to its “Firehose,” but has an agreement, via a subsidiary, to provide Geofeedia with searchable access to its database of public tweets. In February, Twitter added additional contract terms to try to further safeguard against surveillance. But our records show that as recently as July 11th, Geofeedia was still touting its product as a tool to monitor protests. After learning of this, Twitter sent Geofeedia a cease and desist letter.

Because Geofeedia obtained this access to Twitter, Facebook and Instagram as a developer, it could access a flow of data that would otherwise require an individual to “scrape” user data off of the services in an automated fashion that is prohibited by the terms of service (here and here). With this special access, Geofeedia could quickly access public user content and make it available to the 500 law enforcement and public safety clients claimed by the company.

Social media monitoring is spreading fast and is a powerful example of surveillance technology that can disproportionately impact communities of color. Using Geofeedia’s analytics and search capabilities and following the recommendations in their marketing materials, law enforcement in places like Oakland, Denver, and Seattle could easily target neighborhoods where people of color live, monitor hashtags used by activists and allies, or target activist groups as “overt threats.” We know for a fact that in in Oakland and Baltimore, law enforcement has used Geofeedia to monitor protests.

Yet there is a severe disconnect between these positions and the data access they have provided.

Beyond the agreements with Geofeedia, we are concerned about a lack of robust or properly enforced anti-surveillance policies. Neither Facebook nor Instagram has a public policy specifically prohibiting developers from exploiting user data for surveillance purposes. Twitter does have a “longstanding rule” prohibiting the sale of user data for surveillance as well as a Developer Policy that bans the use of Twitter data “to investigate, track or surveil Twitter users.” Publicly available policies like these need to exist and be robustly enforced.

Here is what we’re asking of the social networks:

No Data Access for Developers of Surveillance Tools: Social media companies should not provide data access to developers who have law enforcement clients and allow their product to be used for surveillance, including the monitoring of information about the political, religious, social views, racial background, locations, associations or activities of any individual or group of individuals.

Clear, Public & Transparent Policies: Social media companies should adopt clear, public, and transparent policies to prohibit developers from exploiting user data for surveillance purposes. The companies should publicly explain these policies, how they will be enforced, and the consequences of such violations. These policies should also appear prominently in specific materials and agreements with developers.

Oversight of Developers: Social media companies should institute both human and technical auditing mechanisms designed to effectively identify potential violations of this policy, both by the developers and end users, and take swift action for violations.

The government should not have preferred access to social media speech for surveillance purposes. We are confident the companies agree. Facebook and Instagram have already cut off access to Geofeedia and Twitter should do the same. It’s also time for all three of the companies to live up to their words by taking the additional concrete steps outlined in ourletters.

Note: The CEO of Geofeedia has asked to meet with us, and we look forward to hearing what he has to say.